M
matt
For some of our PCs, we use generic logins in which every user of the PC
signs in with the same username and password.
Quite often, users will sign on to these PCs with an Active Directory
account other than the generic one. As a result, configuration of the
desktop, printers, IE, and other programs are incorrect and users can't use
the programs they are supposed to use.
The network administrator and I have discussed implementing a policy setting
to restrict these PCs by allowing only administrators and the generic
account the logon local privilege - preventing users from signing on with
other accounts.
Since the default domain policy grants the Everyone group the logon local
privilege, we will have to apply this setting at the Active Directory level
rather than on the local PC.
Each PC will need its own policy because the generic account is different
for each PC. We will link these policies to a high level OU and then grant
access on each policy to only the PC account involved.
If anyone has suggestions or comments on this, let me know. If you have a
better way, I would be curious. Also, if you know of a way of doing it with
a single GPO, that would be helpful, too. Please note that we realize
generic accounts aren't the best way of doing things, but for the time being
we would like to solve this problem without getting rid of generic accounts.
Also, we are presently restricting the generic login to its corresponding PC
(Active Directory setting). The question at hand is restricting the PC to
the corresponding generic login.
Thanks,
Matt
signs in with the same username and password.
Quite often, users will sign on to these PCs with an Active Directory
account other than the generic one. As a result, configuration of the
desktop, printers, IE, and other programs are incorrect and users can't use
the programs they are supposed to use.
The network administrator and I have discussed implementing a policy setting
to restrict these PCs by allowing only administrators and the generic
account the logon local privilege - preventing users from signing on with
other accounts.
Since the default domain policy grants the Everyone group the logon local
privilege, we will have to apply this setting at the Active Directory level
rather than on the local PC.
Each PC will need its own policy because the generic account is different
for each PC. We will link these policies to a high level OU and then grant
access on each policy to only the PC account involved.
If anyone has suggestions or comments on this, let me know. If you have a
better way, I would be curious. Also, if you know of a way of doing it with
a single GPO, that would be helpful, too. Please note that we realize
generic accounts aren't the best way of doing things, but for the time being
we would like to solve this problem without getting rid of generic accounts.
Also, we are presently restricting the generic login to its corresponding PC
(Active Directory setting). The question at hand is restricting the PC to
the corresponding generic login.
Thanks,
Matt